ASA-SSM-20 on the active failover configuration
You can synchronize configuration between two IPS systems data?
I have two ASA-SSM-20 (6.1.1 E3) one in each of my the SAA. Of the SAA is the shift in assets. During the configuration of the IPS module I always make these same changes also in the standby unit. Is it possible to synchronize to the top of these two survey periods, so when it is configured the other is updated?
Thank you very much
Unlike the SAA, there not an automatic function to preserve the configuration synchronization through SSMs 2.
A few options:
You can use the command copy to copy the configuration of a sensor to a ftp/scp server.
Then use the copy on the second sensor command to copy the configuration on the second sensor. During the copy, it will ask whether to change the IP of the probe to what is in the configuration file. You will need to tell it to NOT change IP of the probe, otherwise you end up with 2 SSMs with the same IP address and are struggling to connect to them.
Another option is to use the CSM. CSM has configuration that applies to simple sensors, but also the group configuration that can be applied across multiple sensors.
If you have used the group configuration, then you could make one change to the configuration of the Group and apply it in all the sensors in the Group (you will place your SSMs 2 in the same group).
Tags: Cisco Security
Similar Questions
-
Do I need two AIP - SSM modules if I'm failover configuration?
Is it possible to use a single module AIP - SSM in two ASA that is configured in active / standby?
I would like to configure the module in the first ASA with the relief setting. Then, if the ASA first fails, I could physically remove the module AIP - SSM and place it in the second ASA.
Would there be problems, configure it in this way?
Would be the active / standby ASA complaining that there is that one module AIP - SSM?
Thanks in advance.
Hello
You must have an AIP - SSM on two SAA in order to be able to run the failover, without it failover will not come to the top (because of incompatibility of hardware)
Kind regards
Julio
-
Active/active failover configuration LAN-based PIX / ASA
Hi all
I would like to ask, if there is a restriction of length between the two ASA5510 in a LAN failover? Should not be, or I'm wrong?
Thank you
Norbert
Hello
normal duration of 100 m Ethernet. Or you can use the switches between them. I do not have a direct link.
Best regards, Celio
-
Update license of IPS ASA - SSM
Hello
We have an ASA-SSM-20 IPS, the license has expired and we purchased a Smartnet contract for the device.
I would like to know how to upgrade the license.
We tried to do the ASDM, and chose the option updates to cisco.com.we got the following error.
internal error. Unable to send the license request. -4: unable to proxy transparent tunnel. Proxy returns "HTTP/1.1 403 Forbidden.
How to solve this problem or how to do when you use the other option, how to get the license file.
Best regards
It seems that your AIP-SSM20 is configured to use an http proxy to connect to the Internet. If you allow the IP address of the AIP-SSM20 management in your web proxy, it may solve your problem.
If this isn't the issue, you can always apply a license manually. Download your license file here:
https://Tools.Cisco.com/swift/LicensingUI/home
and apply via the ASDM or the CLI
-Bob
-
on the stateful failover active / standby
Hello guys.
I have two ASA, same model and material. ASA have configured stateful failover active / standby by someone a few years ago. It worked normally until recently and no one changed the configuration. Then the secondary unit can't. Ping between 2 interfaces is ok. Please help me solve this problem.
on the main site
interface Management0/0
STATE failover Interface Description
management only
interface GigabitEthernet1/1
Failover LAN Interface Description
failover
primary failover lan unit
failover lan interface failover GigabitEthernet1/1
The link with failover Management0/0 status
failover failover interface ip 172.16.1.1 255.255.255.0 ensures 172.16.1.2
State of the failover interface ip 172.16.0.1 255.255.255.0 ensures 172.16.0.2
on the secondary site
interface Management0/0
STATE failover Interface Description
management only
interface GigabitEthernet1/1
Failover LAN Interface Description
output of the show failover on PRIMARY
Show execution of failover
failover
primary failover lan unit
failover lan interface failover GigabitEthernet1/1
The link with failover Management0/0 status
failover failover interface ip 172.16.1.1 255.255.255.0 ensures 172.16.1.2
State of the failover interface ip 172.16.0.1 255.255.255.0 ensures 172.16.0.2
See the resumption of F1 #.
Failover on
Unit of primary failover
Failover LAN interface: GigabitEthernet1/1 failover (maximum)
Frequency of survey unit 1 seconds, 15 seconds holding time
Survey frequency interface 5 seconds, 25 seconds hold time
1 political interface
Monitored 5 256 maximum Interfaces
Version: Our 8.2 (2), Matt 8.2 (2)
Last failover to: 08:03:11 ULAST January 1, 2003
This host: primary: enabled
Activity time: 5755203 (s)
slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)
Interface Backup2 (10.2.5.1): Normal (pending)
Internet (202.131.225.90) interface: No link (pending)
Interface Backup1 (10.3.5.1): Normal (pending)
The interface server (192.168.227.1): Normal (pending)
Bank interface (10.20.1.1): Normal (pending)
Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)
Another host: secondary - failed
Activity time: 0 (s)
slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)
Backup2 (0.0.0.0) interface: no connection (pending)
Interface (0.0.0.0) Internet: No link (pending)
Interface (0.0.0.0) Backup1: Normal (pending)
The interface server (0.0.0.0): Normal (pending)
Bank interface (0.0.0.0): Normal (pending)
Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)
Failover stateful logical Update Statistics
Link: State Management0/0 (top)
Stateful Obj xmit rcv rerr xerr
General 76184539 0 767513 6
sys cmd 767328 0 767326 1
up time 0 0 0 0
RPC services 0 0 0 0
25878669 0 11 5 TCP Conn
Conn UDP 40545710 0 40 0
ARP 8987688 0 136 tbl 0
Xlate_Timeout 0 0 0 0
Tbl IPv6 ND 0 0 0 0
VPN IKE upd 1140 0 0 0
VPN IPSEC upd 4004 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP session 0 0 0 0
Logical update queue information
Heart Max Total
Q: recv 0 7 6522961
Xmit Q: 0 34 106685671
output of the secondary recovery
See the resumption of F1 #.
Failover on
Secondary failover unit
Failover LAN interface: GigabitEthernet1/1 failover (maximum)
Frequency of survey unit 1 seconds, 15 seconds holding time
Survey frequency interface 5 seconds, 25 seconds hold time
1 political interface
Monitored 5 256 maximum Interfaces
Version: Our 8.2 (2), Matt 8.2 (2)
Last failover at: 03:36:23 ULAST December 15, 2013
This host: secondary - failed
Activity time: 0 (s)
slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)
Backup2 (0.0.0.0) interface: no connection (pending)
Interface (0.0.0.0) Internet: No link (pending)
Interface (0.0.0.0) Backup1: Normal (pending)
The interface server (0.0.0.0): Normal (pending)
Bank interface (0.0.0.0): Normal (pending)
Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)
Another host: primary: enabled
Activity time: 5743217 (s)
slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)
Interface Backup2 (10.2.5.1): Normal (pending)
Internet (202.131.225.90) interface: No link (pending)
Interface Backup1 (10.3.5.1): Normal (pending)
The interface server (192.168.227.1): Normal (pending)
Bank interface (10.20.1.1): Normal (pending)
Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)
Failover stateful logical Update Statistics
Link: State Management0/0 (top)
Stateful Obj xmit rcv rerr xerr
General 765518 0 35843181 874
sys cmd 765518 0 765516 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP 0 0 12671303 80 Conn
UDP 0 0 13432853 133 Conn
ARP 0 0 8968384 661 tbl
Xlate_Timeout 0 0 0 0
Tbl IPv6 ND 0 0 0 0
VPN IKE 0 0 1137 upd 0
VPN IPSEC 0 0 3988 upd 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP session 0 0 0 0
Logical update queue information
Heart Max Total
Q: recv 0 9 72011189
Xmit Q: 0 1 765518
You have a couple no link on your high school as well as a message no link on your primary.
Backup2 (0.0.0.0) interface: no connection (pending)
Interface (0.0.0.0) Internet: No link (pending)
I recommend that you check these cables. Don't forget that if you changed the default configuration, a failure of the single, or problems of connectivity even interface between an interface on the two ASAs fail.
If this does not help, try entering the command interface of the monitor for the interfaces.
--
Please do not forget to rate and choose a good answer -
Cisco ASA 8.4 Active Failover / standby with anyconnect local CA
Hi Friend´s
I hope you do well! I ve got a question, hope you can help me. I ve got an ASA 5550 with version 8.4 (6), it s focusing anyconnect VPN remote access who authenticate through certificate locally generated in ASA. We´ve got an another 5550 with the same hardware and same version, and we focus on the configuration of the failover. I ve heard of network other than it s engineers may not failover configuration when the ASA doing this local. Then I ve read full failover for version 8.4 operating guide (6) and I didn t find any restrictions on the local failover and CA working together. I m tests over the next weekend, but I would like to know from your experience, if I'm having problems on VPN connections or failover configuration.
Please, do not hesitate to ask as much as necessary information. All comment and documentation will be appreciated.
Best regards!
It's the n: documentatio
Does not support Active/Active or Active/Standby failover
And on top of that, ASDM shows that "Local CA cannot be configured when failover is activated".
-
ASA in transparent mode with LAN base active failover / standby?
Is it possible to have a pair of the SAA in transparent mode with LAN-based failover active / standby? I configured the portion of failover and then configured the transparent mode and it erased my failover configuration. Is this supported configuration, and if so are there at - it an example?
Thanks in advance
Yes. It is possible to have a pair of ASA in transparent mode with LAN-based failover active/Standy. You must perform the configuration of failover after conversion of the appliance in transparent mode.
I saw an example on the cisco site, but I'll give you an example of one of the projects I run. Infact its very easy to configure failover in transparent mode. Less work.
I have listed the configs on both the firewall for your reference
Main firewall
============
interface GigabitEthernet0/0
nameif outside
security-level 0
No tap
!
interface GigabitEthernet0/1
nameif inside
security-level 100
No tap
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
!
interface GigabitEthernet0/3
Failover LAN Interface Description
!
192.168.9.2 IP address 255.255.255.0 watch 192.168.9.7
failover
primary failover lan unit
local failover FAILINT GigabitEthernet0/3 network interface
failover abcdef keys
failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7
The secondary firewall
=================
failover
secondary failover lan unit
local failover FAILINT GigabitEthernet0/3 network interface
failover abcdef keys
failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7
int GigabitEthernet0/3
No tap
Hope the above helps.
-
recharge an ASA - SSM the firewall itself effect?
We lost the connection information for the IPS - SSM on our ASA 5520. It seems we should re image module with a version more recent software. It is currently not in use i.e. no rules for it on the firewall. This process will take the firewall offline at all?
Sh command output:
See the module of Firewall03 # 1
Model serial number of map mod
--- -------------------------------------------- ------------------ -----------
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 xxxxxxx
MAC mod Fw Sw Version Version Version Hw address range
--- --------------------------------- ------------ ------------ ---------------
1 001b.0ce2.xxxx to 001b.0ce2.xxxx 1.0 1.0 (11) 2 5,0000 E1
The Application name of the SSM status Version of the Application of SSM mod
--- ------------------------------ ---------------- --------------------------
1 FPS up to 5.1 (5) E1
Data on the State of mod aircraft compatibility status
--- ------------------ --------------------- -------------
1 up Up
Firewall03 # display module 1 recover
Module 1 retrieve parameters...
Start the recovery Image: No.
Image URL:ftp://0.0.0.0/ t
Port IP address: 0.0.0.0
IP gateway address: 0.0.0.0
VLAN ID: 0
No, it should not affect the operation of the firewall at all. He would suffer only if you use it inline with firm failure mode is activated.
-
Dear support,
I need to configure Security Services Module-10 (model: ASA-SSM-10) on my ASA 5510 firewall. Could you provide configuration step and how to connect to the module?
Here is the information on the module
ciscoasa (config) # sh Details of module 1
The details of the Service module, please wait...
ASA 5500 Series Security Services Module-10
Model: ASA-SSM-10
Hardware version: 1.0
Serial number: JAF1115066U
Firmware version: 1.0 (11) 2
Software version: 1.0000 E1
MAC address range: 001a.e268.5aa9 to 001a.e268.5aa9
App name: IPS
App status. : to the top
App status. / / Desc:
App version: 1.0000 E1
Data of aircraft status: Up
Status: to the top
Mgmt IP addr: 133.1.9.144
Web to MGMT ports: 443
Mgmt TLS enabled: trueyour help is very appreciate.
Thank you
Best regards
Hi Sothengse,
Please find the samlpe on AIP SSM module configurations. You can go through this to begin with.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
https://www.YouTube.com/watch?v=FgYU5ZXwk4g
Concerning
Knockaert
-
Hello world
We tried to gif a 14GB of ram and make server complete a booking for her.
This is a server for the exams and the vendor told us to do.I can't any more then 5500MB reservation on it, when I anymore that I get
"Insufficient resources to meet the level of failover configured for vSphere HA.We have:
2 X 5.1 ESXi hosts
Each host has
2 x processors (8 Cores each) with HT active.
255,75 GB of RamvSphere HA has been activated.
Admission control policy is enabled and that the ability to failover is 1 host.What is the problem here?
Thank you
Ernst.Admission control policy is all about to give you the kind of guarantee that if the host failure happens then there will be enough resources to perform the successful failover.
in simple terms, it comes to reserve the resources of failover.
I would recommend going through the notion of vSphere HA, reduced control policy the following document.
From the Page number 22, the details that you need to study is given. Focus especially on part calculations Slot size of it.
in your case you HA vSphere with number of failure of host to tolerate as admission control strategy defined.
This means system will calculate CPU and memory slots out of the resources in your cluster, and the total number of units, it will keep some resources like reserved for failover, and others will be available to be used. It all depends on how much failure of hosts that you want to tolerate.
now in your case, if you try to increase booking one of the virtual machine, which will then affect the number of locations in your environment, and so reserved ability to failover is violated, the system will not let you do what you want to do. As the energy on a virtual machine, or growing booking a powered VM etc..
If you find that you have enough resources in your cluster and due to some virtual machines with very large cpu or memory reservation, number of places is less than you can still manage the settings some advanced in vSphere HA configuration, but I strongly recommend, try to take the help of someone who has done it before.
also try to go through other admission control strategies which are explained in the document for more inputs.
-
Programmatically change the Active Configuration results
I use TestStand 2012 SP1. I would like to be able to configure the Active Configuration to get results in the process template. A station in market our sequential model would set sequential reports configuration as the current record while a station running that a batch model would fix the lot of the report as the configuration active. In addition, if a station can be both, running the application can select the appropriate process template and he would then choose the appropriate reporting configuration.
I have installation of configurations but need to know how to set the active configuration. I don't want on a base by sequence, but rather at the level of the process template so that it is executed once and done. This would allow developers to change their configuration, but still have the lot or creating sequential reports selected according to whether they are working on.
Thank you.
There are a few options here:
- Replace the ModelOptions plugin and change the setting for ModelPluginConfigurationToLoad to the appropriate configuration.
- Hardcode it in the callback in ModelSupport.seq. This way if you've always wanted by automatic override features and call their own as they could.
- Hard-code this entry point for execution of Initialize just before the ModelOptions callback is called in ModelSupport.seq. In this way the customer can always substitute and change it if they want.
If it were me, I'd go with option 3 for your case. You can use Parameters.ModelData.ModelType to determine which model they are running with. Then, simply put Locals.ModelPluginConfigurationToLoad on the proper setup.
Hope this helps,
-
Not enough resources to meet the level of failover configured for vSphere HA
I have a cluster of vSphere based 5.0 based on ESXi 5 knots 2.
When I try to start a virtual machine, I get an error saying that there is "insufficient resources to meet the level of failover configured for vSphere HA.
If I turn off an another VM the problem disappears and I can turn on my VM.
If I try to turn on the virtual machine, I have already turned off, I get the error again.
It seems obvious that there is a lack resources or some setting is misconfigured, but even after reading the forums and manuals, I am unable to locate the critical resource or parameter that is not correct.
Based on my experience or vSphere server and ESXi servers are overloaded.
I have an another similar cluster of hosting a larger number of virtual machines with no similar problem.
This performance counter and this setting should check to identify the bottleneck?
Concerning
Marius
To check reservations for virtual machines, I would select the Cluster in your vCenter inventory, then select the resources"" tab. Which displays the child objects of the bunch (VMs, Resource Pools, vApps). There you can watch settings of CPU resources and memory. You'll want to watch the column of "Reserves".
To find the size of the slot and places available, look at the tab "Summary" of your cluster. There is a tile marked "vSphere HA. In this mosaic, there will be a link for "Advanced Runtime Info" which will open a new window with the location information.
When the Admission AP policy is set to "Number of failures of host cluster will tolerate", HA has a very pessimistic view of your resources, since it must be able to handle all the possibilities.
Another option would be to change the admission control strategy in settings of Cluster HA to "percentage of resources reserved for failover. It reserves a part of the resources for use by HA in the case of a failover, rather than trying to calculate the size of the individual virtual machines. With a 2 cluster nodes, I think it a relatively safe bet to set these values to 50%, as your worst case scenario HA would be losing a single host on 2.
-
How to control the activity of the client-to-site (IPSEC ASA)
I have a client to site VPN configuration on my 5505 according to directives of the Chapter35 of the ASA8.x configuration guide.
One thing I am not sure about is how can I control what VPN users can connect to? I see nothing in the config that binds inside the interface so that prevents them to connect to the DMZ as well? How to limit connectivity so they can only connect to a host on the inside? or a host on the inside and the other on the DMZ?
Thank you
According to me, is what you're looking for.
It will be useful.
-
ASA 5505 DMZ for the guest wireless access
Hello
Here is my delima:
I'm deploying an Apple Airport Extreme BaseStation with Airport Express 7 "repeaters" throughout my network/building. Apple only allows only two wireless networks, public and private. Your selection of only can 192.168.x.x, 172.13.x.x or 10.10.x.x for each subnet. NO tagging VLAN.
It wasn't my decision... Apple CEO hs fever.
So Im stuck on how to implement this without VLAN. The comments/public subnet needs to be isolated outside access. While the private subnet requires access to both.
Any suggestion would be greatly apprecaited.
What will the Security Plus license allow me to do?
Security over the license allows the use of circuits for the ASA 5505. It also increases the maximum number of VLANS configurable at 20. Allows active failover / standby and increases the number of authorized IPsec VPN tunnels.
The problem with the basic license is that you can have 3 VLAN configured and the 3rd VLAN is a VLAN 'restricted '. This means that you can not pass traffic to or from inside VLAN on the 3rd VLAN (or DMZ VLAN if you prefer to call it that.) So this VLAN DMZ won't be able to communicate with the internet.
So, if your private wireless network and the local network will be on the same subnet your public wireless network can be in VLAN 3. If this isn't the case, you will need to get the security over the license.
--
Please do not forget to rate and choose a good answer -
ASA-SSM-10 improvement no license or signatures
I successfully upgraded our ASA-5510 with the latest version of the software.
Our IPS module however ASA-SSM-10 seems to be the settings to factory default with only an IP address that is configured without any permission or certificates. The ASA-SSM-10 module can be improved with the lack of licenses or certificates? In addition, by using PuTTY I am able to connect to the ASA-SSM-10 module and ping the module and my laptop that I have connected via the management port. I am unable to ping from the laptop to the module of ASA-SSM-10 well.
Continuing the investigation in addition to the configuration of the management port IP address there is no VLAN, GW, image url or ip address of the configured port. Is there a simple way to upgrade the software on the ASA-SSM-10 without affecting our two ASA - 5510 that are configured for failover?
I suppose I can do up to a VLAN, GW and port address to get my cell phone to ping to the ASA-SSM-10 module to upgrade without affecting our ASA-5510 that are configured for failover. ***
You can attach more licenses for the legacy IPS until April 26. But the question is whether it is worth spending time and money in the present. The IPS legacy is dead and you should focus on firepower for IPS. But who does not work on your hardware.
Maybe you are looking for
-
Satellite A660 - links BIOS and version history
Just for your information, please find below the complete * A660 BIOS version history: * _ [Version 1.80 - 2010-10-01 | http://cdgenp01.csd.toshiba.com/content/support/downloads/saw0v180.exe] _-Limited the speed of DRAM DDR3 - 1333 Mhz to 1066 MHz on
-
How can I reset my security quesrions
How do I reset the security questions so I can reset the password
-
Need XP for Satellite A210 recovery disks
I lost the recovery disc for my Satellite A210, is it possible to get replacements? Thank you
-
HP pavilion dv6-6150sl ram upgrade
Hello to all, I like aumentare del mio hp pavilion dv6-6150sl adding una scheda ram ram da 8 GB have 4 GB gia pre-installation. I wanted to ram acquistare quale sapere e Dove acquistarla. Grazie
-
SL400 power management options
I tried to find the option "beep when the power state changes" on my new Thinkpad. I've seen blog entries where its is located under settings of world power, but on my computer, there is no option labeled "beep when power state changes. Anyone knows